Computer security systems often monitor computing devices for potential security threats. For example, a computing device may implement a traditional computer security system to protect against potential security threats. In this example, as the computing device attempts to download or open a new file, the traditional computer security system may determine whether that new file includes and/or represents malware. Unfortunately, while this traditional computer security system may be able to accurately classify well known malicious and/or clean files, the traditional computer security system may have difficulty classifying unknown files (e.g., zero-day threats and/or files encountered on only one computer within the computer security system's user base).
To increase the accuracy of such threat classifications, some computer security systems may involve and/or rely on human-driven security decisions. For example, a traditional computer security system may detect an unfamiliar file on a computing device. In this example, rather than attempting to classify the unfamiliar file entirely on its own, the traditional computer security system may turn to a human security analyst for the final decision as to whether the unfamiliar file should be classified as malicious, clean, or unknown. Unfortunately, while the human security analyst may have certain unprogrammable insight into and/or skill for making such security decisions, the traditional computer security system may fail to provide sufficient information about the unfamiliar file to enable the human security analyst to make a truly informed decision on how to classify and/or address the file's threat risk.
The instant disclosure, therefore, identifies and addresses a need for additional and improved systems and methods for curating file clusters for security analyses (especially those involving human-driven security decisions).